mcp-gateway-registry

Implements a dedicated auth-server component that intercepts all requests via NGINX auth_request pattern, validating tokens against Keycloak, Entra ID, or Okta identity providers before routing to downstream services. Supports fine-grained access control (FGAC) through scope-based authorization, token generation with configurable TTLs, and CLI authentication tools for programmatic access. The architecture decouples authentication from business logic, enabling consistent identity enforcement across MCP servers, agents, and registry APIs without modifying individual service code.

Implements a semantic search engine that indexes MCP server capabilities using embeddings, enabling agents and developers to discover tools by natural language intent rather than exact tool names. The registry maintains a catalog of registered MCP servers with versioning, health status, and capability metadata. Discovery queries are embedded and matched against server tool descriptions using vector similarity, with results ranked by relevance. The system supports both keyword search and semantic queries, allowing queries like 'tools for file manipulation' to surface file-system, S3, and database servers simultaneously.

Implements automated security scanning of registered MCP servers, checking for known vulnerabilities in dependencies, insecure configurations, and compliance violations. The pipeline runs on server registration and periodically re-scans existing servers. Generates security reports with severity levels (critical, high, medium, low) and remediation guidance. Integrates with compliance frameworks (SOC2, HIPAA, PCI-DSS) to track compliance status. Audit logging captures all security findings and remediation actions with timestamps and responsible parties.

Maintains immutable audit logs of all registry operations including server registration, tool access, agent invocations, and configuration changes. Each audit event captures identity, action, resource, timestamp, and outcome. Logs are stored in append-only format (MongoDB capped collections or similar) to prevent tampering. Supports compliance reporting for SOC2, HIPAA, and PCI-DSS with pre-built queries for common audit requirements. Integrates with SIEM systems (Splunk, ELK) for centralized log aggregation and analysis.

Provides pre-configured Docker Compose files for local development and AWS ECS task definitions for production deployment. Includes Terraform modules for infrastructure provisioning (VPC, security groups, load balancers, RDS/DocumentDB). Supports environment-based configuration (dev, staging, production) with separate secrets management. Implements health checks and auto-scaling policies for production deployments. CI/CD pipeline automatically builds and publishes Docker images on code changes.

Provides Helm charts for deploying MCP Gateway & Registry to Kubernetes clusters with support for multiple environments (dev, staging, production). Charts include ConfigMaps for configuration management, Secrets for sensitive data, and StatefulSets for persistent storage. Supports horizontal pod autoscaling based on CPU and memory metrics. Includes NGINX Ingress configuration for external access and TLS termination. Integrates with Kubernetes RBAC for fine-grained access control.

Provides VS Code and Cursor extensions that integrate MCP Gateway & Registry directly into the IDE. Extensions enable developers to discover tools, view documentation, and invoke tools directly from the editor without leaving their development environment. Supports inline tool invocation with parameter input forms and result display. Integrates with editor authentication to use IDE credentials for registry access. Enables developers to test tools while writing agent code.

Provides LangGraph integration that enables agents to automatically populate their tool sets from the registry at runtime. Agents can request tools by name, category, or capability, with the registry returning appropriate tools and binding them to the agent's tool executor. Supports dynamic tool discovery where agents can query the registry during execution to find tools matching current task requirements. Integrates with LangGraph's state management to track tool usage and enable tool selection optimization.

Provides a Python SDK for programmatic access to the registry, enabling agents and applications to discover tools, register servers, and manage configurations without using REST APIs directly. The SDK handles authentication, error handling, and response parsing. Supports both synchronous and asynchronous APIs for integration with async agent frameworks. Includes type hints for IDE autocomplete and static type checking. Provides convenience methods for common operations (discover tools, invoke tool, register server).

Provides a single entry point (NGINX reverse proxy) that routes incoming MCP protocol requests to appropriate backend servers based on server name or path routing rules. Handles SSL/TLS termination, connection pooling, and request forwarding with transparent protocol translation. The gateway maintains a live registry of available MCP servers and their health status, enabling automatic failover and load balancing. Supports both direct MCP server proxying and intelligent tool-finding mode where requests are routed to the most appropriate server based on semantic tool matching.

Enables autonomous AI agents to discover and communicate with each other directly via the A2A protocol, registered through the central registry. Agents register their capabilities, endpoints, and authentication requirements in the registry, allowing other agents to discover and invoke them without human intermediation. The system maintains agent metadata including version, health status, and supported protocols. Communication is authenticated using the same OAuth2 framework as tool access, with audit logging of all A2A interactions. Supports both synchronous request-response and asynchronous message-based patterns.

Provides REST API endpoints for registering, updating, and managing MCP servers in the registry with full version history and semantic versioning support. Tracks server metadata including endpoint URLs, authentication requirements, capability schemas, and deployment status. Implements health checks that periodically probe registered servers and update their status (healthy, degraded, offline). The API supports bulk operations for registering multiple servers, deprecation workflows, and rollback to previous server versions. All server management operations are audited with identity and timestamp information.

Provides REST API endpoints for registering autonomous AI agents, configuring their tool bindings, and managing their lifecycle. Agents register their capabilities, supported tool types, and authentication requirements. The API enables dynamic tool binding where agents can request access to specific tools or tool categories, with the registry validating permissions and provisioning access tokens. Supports agent versioning, configuration snapshots, and rollback to previous configurations. Integrates with LangGraph agent implementations to automatically populate tool sets based on registry configuration.

Implements attribute-based access control (ABAC) through OAuth2 scopes that define what tools, servers, and agents a user or service can access. Scopes are hierarchical (e.g., 'tools:read', 'tools:write:email', 'agents:invoke:analytics-agent') and enforced at the gateway layer before requests reach downstream services. The system supports scope templates that can be assigned to roles or users, enabling rapid permission management at scale. Scope validation occurs at request time, with detailed audit logging of all access decisions (allowed and denied).

Enables multiple MCP Gateway & Registry instances to federate and share tool catalogs, allowing agents and clients to discover tools across organizational boundaries. Registries can be configured as peers, with periodic synchronization of server and agent catalogs. Supports both read-only federation (consuming tools from peer registries) and bidirectional federation (sharing tools with peers). Federation respects access control boundaries; tools are only visible to users with appropriate scopes in both the local and peer registry. Implements conflict resolution for duplicate tool names across federated registries.

Provides a web-based dashboard for exploring registered MCP servers, agents, and tools with interactive search and filtering. The UI displays tool capabilities, parameters, examples, and health status in a user-friendly format. Supports interactive tool testing where users can invoke tools directly from the dashboard with parameter input forms. Includes server management interfaces for registering new servers, updating configurations, and monitoring health. The dashboard implements frontend authentication flow with OAuth2 redirect, enabling seamless integration with enterprise identity providers.

Provides a command-line interface for agents and developers to authenticate with the registry, discover tools, and invoke them directly. The CLI implements OAuth2 device flow for headless authentication (agents without browser access), storing credentials securely in local configuration. Supports interactive tool search with fuzzy matching and semantic queries. The CLI can invoke tools directly, making it useful for testing and debugging. Integrates with shell environments for scripting and automation workflows.